This page provides an overview of route exchange between hybrid spokes and Virtual Private Cloud (VPC) spokes in Network Connectivity Center.
Route exchange with VPC spokes lets you connect VPC spokes and hybrid spokes, such as Cloud Interconnect VLAN attachments, HA VPN tunnels, and Router appliance VMs on the same hub, which enables highly scalable any-to-any network connectivity between all such spokes attached to a single hub. Using VPC spokes and hybrid spokes on the same hub lets you connect multiple on-premises networks and Google Cloud VPC networks.
Workload VPC networks
A workload VPC network is a VPC network that a spoke administrator adds to a hub as a VPC spoke. A workload VPC network can be a standalone VPC network, or it can be a Shared VPC network. A workload VPC network can be located in either the same project as the Network Connectivity Center hub or a different project in the same or another organization.
Routing VPC networks
A routing VPC network is a VPC network that contains at least one hybrid spoke with Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs.
A routing VPC network can optionally also be connected as a VPC spoke on the same hub as its hybrid spokes.
Each routing VPC network—and the Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs that use the routing VPC network—must be located in the same project as the Network Connectivity Center hub.
Establishing connectivity between hybrid spokes and VPC spokes
You can establish connectivity between hybrid spokes and VPC spokes by adding workload VPC networks to a Network Connectivity Center hub as VPC spokes, then you add Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs to the same hub as hybrid spokes. The Cloud Interconnect VLAN attachments, HA VPN tunnels, or Router appliance VMs in each hybrid spoke are also associated with one or more routing VPC networks, but the routing VPC networks themselves need not be added to the Network Connectivity Center hub as VPC spokes.
To establish connectivity between hybrid spokes and VPC spokes:
Network administrators for the routing VPC networks must first review the Cloud Router path selection and dynamic routing mode:
Network Connectivity Center hybrid spokes only support the Cloud Router legacy best path selection mode. For detailed information about Cloud Router path selection, see best path selection in the Cloud Router documentation.
Network Connectivity Center hybrid spokes support both global and regional dynamic routing modes. The dynamic routing mode of a routing VPC network determines in which regions the Network Connectivity Center dynamic routes are programmed in the VPC spokes:
If the dynamic routing mode is regional, Network Connectivity Center dynamic routes from its hybrid spokes are only programmed in the same region as each hybrid spoke.
If the dynamic routing mode is global, Network Connectivity Center dynamic routes from its hybrid spokes are programmed in all regions.
The VPC spoke only uses the dynamic routing mode when hybrid spokes reside in the same hub.
Hub administrators do the following:
Give access to the Network Connectivity Center hub so that spoke administrators can propose VPC spokes that are located in projects other than the hub's project.
Spoke administrators create VPC spokes and hybrid spokes:
Create a VPC spoke proposal to attach a workload VPC network to the hub.
A hub administrator must review proposed VPC spokes that are located in projects other than the hub's project.
Spoke administrators or network administrators for the routing VPC networks must configure advertisement of subnet routes in VPC spokes. Either of the following techniques can be used:
A spoke administrator for the hybrid spoke can set the
includeImportRangesfield to["ALL_IPV4_RANGES"]in the hybrid spoke resource by using the API. For more information, seeLinkedRouterApplianceInstances,LinkedInterconnectAttachments, andLinkedVpnTunnels.A spoke administrator for the hybrid spoke can update the hybrid spoke by using the Google Cloud CLI with the
--include-import-ranges=[ALL_IPV4_RANGES]flag. For more information, seenetwork-connectivity spokes linked-router-appliances update,network-connectivity spokes linked-interconnect-attachments update, andnetwork-connectivity spokes linked-vpn-tunnels update.A network administrator for the routing VPC network can advertise custom address ranges on the Cloud Routers for the hybrid spokes. The custom ranges can be a list of all subnet IPv4 address ranges of the VPC spokes on the hub, or you can use larger CIDRs that contain the subnet IPv4 address ranges of the VPC spokes.
Route tables
The Network Connectivity Center hub route table lists all learned dynamic routes from on-premises networks and subnet routes that are reachable from the attached spoke networks through the Network Connectivity Center hub. Hub route tables are read-only resources, fully managed by Network Connectivity Center. For detailed information about how to view the hub route table, see View the hub route table and routes.
The hub route table is updated with appropriate route entries when the following events occur:
- VPC spoke creation or deletion
- Subnet creation or deletion in attached VPC spokes
- Hybrid spoke creation or deletion
- BGP route advertisement or withdrawal from attached hybrid spokes
Each VPC spoke also has a VPC network route table. Each VPC network route table lists all routes that are programmed in the VPC network. For steps to view the VPC route table, see View the VPC route table.
Example use cases
The following examples illustrate an Network Connectivity Center hub that contains both hybrid spokes and VPC spokes.
Overlapping Network Connectivity Center dynamic routes
The following Network Connectivity Center hub has a VPC spoke and two hybrid
spokes. Both hybrid spokes connect to an on-premises network that advertises both
192.168.0.0/16 and 192.168.44.10/24. This example illustrates how Network Connectivity Center
programs overlapping dynamic routes in a VPC spoke. For simplicity,
this example considers hybrid spokes that are in the same region. The next example,
How global dynamic routing mode and MED work together
illustrates hybrid spokes in two regions.
In the preceding diagram, an on-premises network uses both the 192.168.0.0/16
and 192.168.44.10/24 IP address ranges. The on-premises network connects to two
routing VPC networks using two pairs of VLAN attachments in the
us-west1 region of each routing VPC network:
The
a-westhybrid spoke contains the Cloud Routers and VLAN attachments that receive192.168.0.0/16. This hybrid spoke sends the192.168.0.0/16dynamic routes to the hub.The
b-westhybrid spoke contains the Cloud Routers and VLAN attachments that receive192.168.44.10/24. This hybrid spoke sends the192.168.44.10/24dynamic routes to the hub.
The VPC spoke imports four Network Connectivity Center dynamic routes from the hub:
Two Network Connectivity Center dynamic routes for
192.168.0.0/16, both with next hops in thea-westhybrid spoke.Two Network Connectivity Center dynamic routes for
192.168.44.10/24, both with next hops in theb-westhybrid spoke.
VMs and other resources in the us-west1 region of the VPC spoke use the
Network Connectivity Center dynamic routes as follows:
Packets whose destinations fit within
192.168.44.10/24are sent to the VLAN attachments in theb-westhybrid spoke.Packets whose destinations fit within
192.168.0.0/16, but not in192.168.44.10/24, are sent to the VLAN attachments in thea-westhybrid spoke.
How global dynamic routing mode and MED work together
The following Network Connectivity Center hub has a VPC spoke and two hybrid
spokes. The two hybrid spokes are in a single routing VPC network.
The on-premises IP address range is 192.168.44.10/24. This example illustrates
how the multi-exit discriminator (MED) value, dynamic routing mode, and
Cloud Router best path selection algorithm control the creation of dynamic
routes in both the routing VPC network and in VPC
spokes.
In the preceding diagram, an on-premises network uses the 192.168.44.10/24 IP
address range. Four VLAN attachments, two in us-west1 and two in us-east1,
connect the on-premises network to a routing VPC network,
routing-vpc-network. BGP sessions for the two VLAN attachments in each region
are managed by Cloud Routers in the same region.
The routing VPC network is configured as follows:
- The dynamic routing mode is global.
- The best path selection mode is legacy.
- The two VLAN attachments in
us-west1are added as a hybrid spoke (west-hybrid-spoke) on the Network Connectivity Center hub. - The two VLAN attachments in
us-east1are added as a hybrid spoke (east-hybrid-spoke) on the Network Connectivity Center hub.
The on-premises routers advertise the 192.168.44.10/24 IP address range:
- Using MED
10to the BGP sessions for thewest-aandeast-aVLAN attachments. - Using MED
20to the BGP sessions for thewest-bandeast-bVLAN attachments.
In the routing VPC network, each region's Cloud Router
dynamic route control plane and VPC control plane work together
to create the following local dynamic routes for 192.168.44.10/24 in each region:
In the
us-west1region, two local dynamic routes have next hops in the region and one next hop is in theus-east1region:- The dynamic route with priority
10uses thewest-aVLAN attachment next hop. - The dynamic route with priority
20uses thewest-bVLAN attachment next hop. - The dynamic route with priority
275uses theeast-aVLAN attachment next hop. Theeast-anext hop has the highest priority (10) in theus-east1region, and the inter-regional cost betweenus-west1andus-east1is265.
- The dynamic route with priority
In the
us-central1region, both of the local dynamic routes have next hops in different regions:- The dynamic route with priority
243uses theeast-aVLAN attachment next hop. Theeast-anext hop has the highest priority (10) in theus-east1region, and the inter-regional cost betweenus-central1andus-east1is233. - The dynamic route with priority
248uses thewest-aVLAN attachment next hop. Thewest-anext hop has the highest priority (10) in theus-westregion, and the inter-regional cost betweenus-central1andus-west1is238.
- The dynamic route with priority
In the
us-east1region, two local dynamic routes have next hops in the region and one next hop is in theus-west1region:- The dynamic route with priority
10uses theeast-aVLAN attachment next hop. - The dynamic route with priority
20uses theeast-bVLAN attachment next hop. - The dynamic route with priority
275uses thewest-aVLAN attachment next hop. Thewest-anext hop has the highest priority (10) in theus-west1region, and the inter-regional cost betweenus-east1andus-west1is265.
- The dynamic route with priority
A workload VPC network, workload-vpc-network, is added to the
same Network Connectivity Center hub as a VPC spoke. Network Connectivity Center
creates Network Connectivity Center dynamic routes for
192.168.44.10/24 in each region of the workload VPC network to
match the local dynamic routes created in each region of the routing
VPC network. The dynamic routing mode and best path selection
mode of the workload VPC network aren't relevant because the
workload VPC network doesn't contain the Cloud Router
resources that manage the BGP sessions for the VLAN attachments.
To control the path from the workload VPC network to the
on-premises network, adjust the MED values advertised by the on-premises
network for the 192.168.44.10/24 prefix. For details about how Network Connectivity Center
dynamic routes interact with subnet routes and other types of dynamic routes, see
Routing order.
What's next
- To create hubs and spokes, see Work with hubs and spokes.
- To view a list of partners whose solutions are integrated with Network Connectivity Center, see Network Connectivity Center partners.
- To find solutions for common issues, see Troubleshooting.
- To get details about API and Google Cloud CLI commands, see APIs and reference.